The PRISM scandal risks scaring users off the cloud, warns Rafael Laguna
The recent PRISM scandal has highlighted concerns in public, which many in the industry have had for years. It has also brought to light serious issues about international security, privacy and data protection. Most importantly it has brought to the global public’s attention that their data (be it Facebook posts or Google searches) may not be as private as they once thought.
Even back in 2008 Richard Stallman, founder of the Free Software Foundation and a staunch advocate of privacy, suggested that cloud computing was a trap and forewarned of people losing control of their data and become defenceless (in 2011, he told TechWeekEurope that only victims of tyranny should use Facebook, if it is the lesser of two evils). This is not a new discussion but in 2013, PRISM has served to highlight governmental collusion and brought the story to the fore. The political ramifications are huge and it has naturally made the public cry ‘Big Brother is watching you’.
Twelve years of the Patriot Act
But what’s perhaps most interesting is that the US authorities have had wide powers to store international data for a long while – since the 2001 Patriot Act. The act allowed access to cloud data of non-Americans, and the circumvention of European laws. Because the user data was stored in the US, it was ruled to be subject to US jurisdiction, and effectively considered US property.
However, the newer revelation of the UK government’s Project Tempora may dwarf PRISM since it handles a larger data set and has the ability to monitor 600 million communications a day. Tempora allowed Britain’s GCHQ to tap international phone calls and internet data for 30 days without public acknowledgement.
The German broadcaster NDR and Munich’s Süddeutsche Zeitung newspaper reported that Tempora had tapped into a fibre-optic cable linking North Germany with Britain and the US. Is it any wonder that Germany’s Justice Minister Sabine Leutheusser-Schnarrenberger has called Tempora a “Hollywood Nightmare”?
The political argument of alleged collusion and international espionage is playing out in front of our very eyes but the real heart of the matter is that this is more a conversation about trust and transparency, and how this technology came to be exploited. The overriding sentiment is that Europeans did not ask the US or the UK to protect them and for many countries the negative historical legacy of surveillance and data-harbouring still resonates strongly.
The surveillance and exploitation of our data affects us all. We must therefore ask ourselves where the real value in the cloud needs to reside. The simple answer is that the openness of providers is essential in reinstating our trust.
Can the cloud regain our trust?
PRISM and Tempora were allowed to happen because, though secret, they were sanctified through US and UK law. But why do other countries have to accept this? Why are some countries unknowingly subject to the security whims and legalese of others?
There is no real European alternative to the US giants like Google or Microsoft but there is scope for European-based IaaS (Infrastructure as a service) and PaaS (platform as a service) providers to build their solutions through the cloud in Europe. While Tempora has demonstrated that bringing our data back home cannot necessarily guarantee the desired levels of information security, it may be the lesser of two evils when compared with a foreign entity having access to our data.
Traditionally Europe has had more robust regulations for data privacy and the European Commission has also shown that it is not afraid to take on the tech giants, having previously challenged Microsoft over anti-competitive practices, and now undergoing a similar process against Google.
The challenge for the EU is to prove that data can be stored in Europe in confidence and that integrity and confidentiality of data is not compromised by secret agreements with security agencies or governments. This requires the cooperation from all of the European nations, including the UK.
It’s not surprising that the EU is yet to take a formal position on the implications posed by the news of PRISM and Tempora. There is still a lot of dust to settle, and the roles of individual states are not entirely clear at this point. The consequences mean that individuals and organisations will think more carefully about where their data is stored, and what the implications of this are.
It is Europe’s duty to offer an alternative; to show how data privacy and security could work – and it is apparent that the UK has to work more closely with Europe to ensure this. Europe can lead the world in digital privacy standards, and help the cloud to regain any trust that may have been lost in the wake of PRISM and Tempora.
President Obama has said “You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience” but this ignores the consequences for cloud providers that this breach of trust has caused. Cloud companies must be able to stand courageously, maintaining transparency whilst being open and ensuring we are all aware of who, beyond ourselves, could have access to our data and be exploiting it.